DEV Community

Jer
Jer

Posted on

Using Google Secrets Manager with Kubernetes

If you're running applications on Kubernetes, you know that managing secrets (such as passwords, API keys, and other sensitive data) can be a challenge. You want to keep your secrets secure, but at the same time you need to make them accessible to your applications when they need them.

One solution to this problem is to use the Google Cloud Secret Store CSI driver. This driver allows you to store and manage your secrets in Google Cloud's Secret Manager service, and then access them from your Kubernetes pods using the Container Storage Interface (CSI).

To use the Secret Store CSI driver, you'll need to have a Google Cloud account and a Kubernetes cluster running on Google Kubernetes Engine (GKE).

Here's an example of how you might use the Secret Manager CSI driver in a deployment configuration file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  serviceAccountName: my-service-account # this refers to a k8s serviceaccount object that contains the iam.gke.io/gcp-service-account annotation that must be bound to the gcp service account. 
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-app
        image: my-app:latest
        volumeMounts:
        - name: secrets
          mountPath: /secrets
      volumes:
      - name: secrets
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
              volumeAttributes:
                secretProviderClass: "my-secrets"
Enter fullscreen mode Exit fullscreen mode

In this example, we're using the Secret Manager CSI driver to mount a secret called "file-name-containing-your-secret" as a volume at the path "/secrets" in our container. Our application can then access the secret by reading from this path.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-secrets
  labels:
    app.kubernetes.io/name: my-app
spec:
  provider: gcp
  parameters:
    secrets: |
      - resourceName: "projects/{YOUR_PROJECT_RESOURCE_ID}/secrets/your-secret-name/versions/latest"
        path: "file-name-containing-your-secret"

Enter fullscreen mode Exit fullscreen mode

One of the advantages of using the Secret Store CSI driver is that it allows you to manage your secrets in a centralized, secure location. You can use Google Cloud's Secret Manager service to create, rotate, and delete secrets, and the CSI driver will automatically reflect these changes in your Kubernetes pods. This makes it easy to keep your secrets up-to-date and secure.

Another advantage of the Secret Store CSI driver is that it integrates seamlessly with other Google Cloud services. For example, you can use Cloud Functions or Cloud Scheduler to automatically rotate your secrets on a regular basis, or you can use Cloud Identity-Aware Proxy to limit access to your secrets to authorized users.

In summary, the Secret Store CSI driver is a powerful tool for managing secrets in Kubernetes. By using it, you can store and manage your secrets in a centralized, secure location and access them from your Kubernetes pods using the Container Storage Interface. If you're running applications on Kubernetes and need to manage secrets, give the Secret Store CSI driver a try!

Top comments (0)